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i M'.'R AL I'HK.VnCATlON BE !H& «1 mi* ^ IN A DATA NETWORK 




s ' ~ . ^ ; system wherein a camp«t«r p)p 

i ;>\er the Internet 
user to be auihea&c&ted and authorized tor a requested operati 
s :ton Sntonnatkm) is generated by 
server. Ths Mvtmstian in the eiteket is hashed tsfctg, for example, 
¥micm% and a hash number Is generated. The hash sumber is then 
private key, and the ktentfieation 



memory 
aabimg a 
As "stiekef 




authenticate" the user at eaou server. 



User autheaticatks is defined 
attempting to access a system 
system in order to filter and 



'detennimss * ty of ^ xmi 

ay non-public system has 
es fiom oae assother . 



or an object 



t types of 



Ice system aid method desoribed in US 6,263,432 saves the user from 
on" for each new network resource. The system and method also eiiuune 



to -log 
need of 
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itere<3« her K u its ompa Uy i >ls t< brea tl dynamic rrift| nd 

v ',£ K i i aSSl) 

In anofeer embodiment, the dyamfci string coxsi&ins a digital siga&tare cabling fee 
second aetwstk wscaarceio ckfc fee identity of the first network resource, 

dynamic DB-L address, the second network resource reads, fern fee HTTP Sender 
Variables, the variable titled w REMOTE_AI)DE >s aod picks up fee sender's IP address. 
Me? getting fee IP address, fee network resource cheeks whether the obiafeed JP 
address appears on. a list of actable IP addresses, and if not, desks the user 




whole "portar of trade or commerce place. Instead, at least some of fee services of 



content will be provided at a server managed by moths* party. Indeed, it h typical of 
the process of oHering services, contest* goods, etc, for there to be at least three parties 
Involved. These parties as pera i phi 5 tl of s d/or contest providers 

20 mid fee users. The operator owns the technical platform, offers accesses for users, 
collects and stores Monastics about the wm (CRM) sod massages ibe aeta&l market or 
commerce place. The aforesaid activities could be also divided between two or more 
operators or the like. The service and/or content providers are connected to fee aforesaid 
operator Hie users a atiorrnviaa 

2S "portal" or access point (e.g. WEB or WAP), which is maintained by the operator. 

Flie present invention van be ied, e.g. in a dyn iroie e-eoanneree or 

m-commerce system lamia no o-eommeree or s ree system 

transaction processing and billing of the transactions is implemented so that all parties 
30 are able to afreet fee availability, terms and billing of fee tractions. 11ns kind of 
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vcrimtrnm 



i No 2001240 oofg 
press&t sppiicfifiOa, sitid WiiiCh is IscoTporated sereia by reference, 

Finnish patent application No. FI2QMp99 s iM m II April 2002 and not ptMshed at 
lbs time o*" fim io fee pre est ipf licabao, des no y mtestfag 

portal system in which the p 
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the foil «s wherein a 

-nu URL address is used ax the dynamic striag according to the irsveatioa. On the 
basis of J s r 1 k fee art how 

5 the invention cars be utilised with otbes - ^ > ! \ dynarau strings, such s string; 
feaasafitted- by tmmn of socket* UDP V W, &m SMS or MMS. Thne, the following 
diselostjre is by no way limiting the scope of the invention to the use ofm IML address 



VRl (th-1 < »1 Is <>i the 

1G Internet. The typo of resource depends oa the Internet application protocol Using the 
World Wide Web's protocol, the Hypertext Tester Protocol (HTTP) S the resource sm 
be an HTML page* an image 8k% a program such ss a common gateway interface 
application or Java applet, or atry other file s > ; 1 § . s t ^ ontaias the 

r\tr of * y > > <■ ' ^ v ;!v ^ n, -i Cv*r name feat identifies *. 

1 3 specific computer on fee Internet, sad a hierarchical deseriphoa of a file location oa the 



Socket is a » 

m a network, A socket is deisaed a "fee eudpoint in a e 
and w*d %nh a set i ^ , on c-% V M>rv 

20 sockets epplication prograaunfeg inter&ee (API), The most commoa sockets API is fee 
Berkeley UNIX C iafofesc for sockets. Sockets can also be used for commmacsdoa 
between processes within the same computer- Sockets may be used with TCP/IP, UDP 
and RTF, for instance. 



v , . * , ^rvfce for 
25 (224 characters if using a SAM taode) to 

Mobile (GSM) 

SMS is simitar to paging, Ho 

be active and wimm range and will be held for a number of days ami! the plume is 

active end within rang*. SMS messages are transmitted within the same cell or to 
30 anyooe with roaming service capability* They caa also be sent to digital phases from a 

Web site equipped with PC tiak or from ooe digital pteme to another. 




we mmrnm 



UDP (User i 

m o m > sxrvki wi o rc < em hi i 

uses the Internet Protocol 0?). UBP is aa * 
I (TCP) and, together wife IF, is s 
5 TrmmioB Control Protocol UDP uses the Memet Protoeol to actually get a date 




to the 1 
srsed t 



. UaKke TCP, however, UDP 
does sot provide the service of dividing a message into packets (diagrams) and 
isassemblmg it at the other end. Specifically, UDP doesn't provide sequencing of the 
packets that the data arrives k. This mm® that the application program that uses UDP 
10 most be able to make sure that, the eaiase message has arrived and is in the right order. 
Iwrvu t 

data u&its to exehaag 1 >re very little o do) may prefer 

HBPtoTCP 1 i rrivia File frasster Protocol (im) uses UDP iastead of 'tCRi 



Sir is so J 



Task Force (11 IT) s 



like 'HTTP or SMTP, SIP works m the Application layer of the Open Systems 
ktemomnection (GS1) comnrtmscata model. The Application layer h the level 



Ufcattt*, in, ^ tv the m 

25 RTP (Real-Time Transport Protocol) is aa Internet protocol standard that specifies a 
way for programs «> manage the real-time transmission of mrd&media data over either 
umeasi or multicast network service. OrigMy specified ia Internet Engineering Task 
Force (IETF), Request for Comments (RFC) 1889. RTP w designed by the lETFs 
Auda>Yiaeo Transport Working Group to support video conferences with multiple, 

application. RTP doss sot m itself guarantee reaWime delivery of multimedia data 
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(since this is dependent <m network etetaeteristies); it does, however provide the 
wherewithal as manage the data as it arrives to best effect 

RTF comb i i s Fh which makes it 

possible to mosiior data delivery for large multicast networks. Monitoring allows the 
5 receiver to detect it there is any packet loss and to compensate .(or any delay jitter. Both 
protocols t e try of d<e aade ^ work layer 

protocols. Motmafios Is the RTF header tells the receiver how to reconstruct file data 
aad describes hew the codec bit streams are paekefiaedh As a rale, RTF raas oa top of 
'i ^csn use other imnsp&it pi^toools- Bolls 
1 0' the Session Mtiafioa Protocol (SIP) and B.323 use RIP, 

MMSt Mnlto - s igfag Service (MMS) Is a messaging service for the mobile 

f ^ i\ V \f f ^d -tL? ,< t\ c v \ Vr 

similar to the Short Message Service (SMS): it provides uotomaiio immediate delivery 
for useo-creat - me to pho&e. MMS messages are primarily delivered 

IS from phono to phone, but also value-added services cars be created by developing 
applications that sead/ireeeive MMS messages to/from phones, MMS also supports e~ 
mall addressing, so that messages can be sent directly to m e-mail address, MMS 
transport is dorse uslog WAP transport and any bearer with WAP capabilities eaa be 
used. Tiros, MMS is bearer independent and MMS is not limited to only GSM or 

20 WC0MA. WAP Wireless k j on Protocol <W8P) is used fcr message transport from 
phone to MMSC and fsvm MMSC to phone. In addition, WAP push features are used to 
eVhws die a . - asee from server to receLdng phone. 

hlvh 1 depicts as overview of one possible system architecture that cart make use of fire 
hwention. In FIG, 1, there are three local area networks (LAN 1, LAN 2, LAN 3} 

25 ! i sat can ho 

accessed by users through the Internet or another communications network, sued as a 
mobile telephone network,, an internal data network (intranet) or a rim switched 
telephone net , agh the main portal, there ca ) b oh i % ess to public 

services thai does not require authentication and also such services that are protected "by 

30 a user name and password, for instance, 'Ike services accessible through the main portal 
ea t\ ousted at he LAN dthe LAN 2 or 3, 1 t rveniioa is ?est still ed 
m a situation in *hkh . oo p., LAN 1) and then 



wiom n 




gLAN l or 3 to a 
2 or LAM3, r 



by the user aid activated, 

I m LAN 2 or 3, to 
« by Use user. Mow, user em use services at LAN 
separate autofetioa at LAN 2 or LAH3, 



M foe process of FIG. 2, fee folio-wing steps arsj^dbxmed; 
10 L Ibe user selects a WEB or WAP Portal main page located at a 8m network 



7 The WEB or WAP Portal requests 

3. A^estiestioo Is performed with foe aid of a si; « food, e g 

the user may input a usemame and pmswmi or use a dleut cettMc&te, 
Akeruauvdy, fee user caa be authenticated by xaeaus of a 3 
Meatity, mh as s moMte telephoae t 
telephone or s smart card attached to it 

4 The WEB or WAP Portal cheeks that the user Is included is its user database. 

S. If the user is sot found m the 0B» the WEB or WAP Portal will reject the met and 



6. If the user is tbuad in the .OB, the WEB or WAP Portal will then fetch the set of 



serinth? S 



7, "If no WBB or WAP services will be fouad relsted to thai « 
the W1B or WAP ^^.^iata,^^^ dose foe 

25 8. If, Instead, one or mate WBB or WAP services are found related to that specific 
a the OB, the WEB or WAP Portal will generate a dynamic URL, or a set of 
m®m Vm&, hf xbwm of which the aser eaa access to these WEB or WAP 



9. Once ike dynamic- URLrsans generated, fee WEB or WAP Ports! wM attach to 
to links to fee WEB or WAP services available to the user and present to 



10, The user selects a certain WEB c 



1 1 > The application of fee WEB or WAP service selected receives toe dynamic URL, 
12. The application fetches all the parameters iacfoded la fee dynamic URL it has 



1 3. The applicators verifes fee validity of fee URL revived, 

14. If toe URL is found valid, toe nser will have access to fee WEB or WAP service, 

15. If, instead, the URL is &m& to he HOT valid, the 
EsorWAF 



HO. 3 describes one process of creating a dynamic URL, according to esse embodiment 
1 5 of fee mvesfem. TMs embodiment m*m a hash algorithm, specifically too MD5 hash 
algorithm, wMch is, as such, well know to to? art. In she process of FIG. 3, the 
i .ire performed: 




20 pointed to, toe userll) sad the secret fcey areea 



algorithm, Example- 
Message - MD5<xaassii«o+3} \ 21^91030^sho^I23456?S9(H-**»*»****) - 

25 
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* 31 1219991030 



a by * 

3 JSC 



the secret key i$n 
1^ output of the MD5te 

URL 

Use actual URL is generated by including kite the imL I) the http adtes of 
the service pointed to, 2} the parameter which were got rod coacateaated 
; such, and 3) the tested message. For example, aa URL of this 



8BA9FC 

Tljg generated URL is 



he\ f v. y s J 



FIG 4 



leatofU 
URL ge: 



URL, according to one 
la the process of FIG. 4, which is suited to y 
by the process of FIG, 3, th < »s a- e pal 
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2. The spplk^uon a fce se*. nd ners ok Jot., t c 




5, It kstesd, the iimestamp included as the URL Is valid, the application will proceed 
to checking the validity of the MDS message inclsded m the ML 

$. To validate the MDS message, the application creates a second HAS! ! by inputting 
W into a hash algoiithm the pamrneters fetched from the OKI, and the same seated 

senrei key that was used to create the original message. The hash algorithm used is, 
of course, the same as la the Qm network resource that created the dynamic URL, 
Preferably, the hash algorithm is MDS. 

7. Afte'cns&g the second HASH, the application wall ccmpsre the origimd MDS 
1 $ message tactefod m the DHL (first hash) with the stew message psl crated £secoM 

hash). 

URL Is valid and the user autkmasd to use that WEB or WAP service. 

9. If Instead, the messages are NOT klemical (the first hash differs from the second 
20 hash), the WL is NOT valid and the user mil not he authorized to use to WBB or 

WAP service based on that URL. 



FIG. 5 shews an example of the parameters that can he used in the processes of FIG. 3 
md FIG. 4. FIG, 5 shows also a cue example of a dynamic URL address comprising, 

25 The dynamic URL address of FIG, 5 eompdses an address part pointing to a second 
network resource md a parameter part. In tins example, the address part contains an 
address: ^t^y&MhostMoes.asp**. Tire parameter part comprises two subparts* 



wo mmnm 




5 subpart k fart 

and give a value to it. in this example, four praetors are wd, The parameters of this 

service at the second network resource, and 4} user Id eutlfeaties number. The selection 
of &s parameters can be tr&sly made according to the needs of the application. 
10 However, using a iknestamp as one patamefer has as advantageous eteet on the 
secunt) of thi - - - n her of parameters may ya?) ; but, fea .van: ej 

reasons, it is good to have at least some parameters as they j 



- and its value. The \ 



message" is 
*fcqr«s«n input 



FiG.5). 
FIG. 6 c 



20 which is, m sash, well buron in the art In the proa- > ag steps are 



e of £hs service are caught and c 



a may be used m the p 



regard strtag . 



s ia signed with the Private key of 
ample, a signed slfkg may look Is 



wo mnmirn 



IS 



2DDE4R545HjIiK4J353J4SH3J4H543HSHSI 

The actual URL Is generated by fecinding to the URL 1) the Mtp address of tie 
5 service pointed to, 2) the parameters, which were got am! c<mcatesated before 

as such, and 3} the digitally signed siguatee. In tMs example, the URL looks 
like this; 

ice-shoe^uamfee^ 
m 3S3J45H3J4H543HSM5I 

The generated URL is attached to fee WWW or WAP service link. 



FIG. ? describes on* process of vaiMatkg a ipaic URL, acewdMg to one 
15 ettbodtaest of the invention, la the process of FIG. 7, which is suited to validating a 
dynamic URL gen« nd&l by the process of I1C 6, <K , j <. vrfo rrtd 

1 , The second network resource receives the URL for authentication. The HTTP URL 
ofinsexarapte looks like 

H3J4HS43HSH5J 

2. The application will fetch the parameter included in the URL; la tMs example* the 
parameters include: the asematne, the fae« F , the semeexisias and the serial 
ttnmher of certificate used m m™m the URL. 

23 3, Xheappficatioache^ 

4, If the timestamp Included in the URL is NOT valid, the application will inform the 
user and close ihe service. 
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5. KtatadOKtim j I < I the appsi * proceeds with 
e-hec.1 bg fee validity oft k? D ai < ites included b the I RI 

6. To validate fee Digital Signature, the application creates an HASH of the cleartexi 
fetched from the URL. 

5 ?. Tbe application generates another HASH using the Public Key of fee same 
certificate that was nsed to sigathe URL over the Digital Signature received, 

$. The application compares the two HASH:* generated. 

9, If the two HASHrs axe identical the URL is deemed valid asd the user authorised to 
use that WEB or WAP service. 

IQ 10. If instead the two HASH:s are NOT identical, the URL is NOT valid and the user 
will not he authorised to use that WEB or WAP service based on feat URL, 
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pmmet&n as they .make It more difficult to bmak the bask. 

After the rn f < ; ~ i there is sfaowri a vaiikatioa subpart that coaisias a 
parametei "signaW sod its value. The value of fee e '&ignate ,s tspeseats fee digital 
5 signature of the tafomutikm subpart, signed with the Private key of the certificate 
referred to in the iu Waticm subpart afeQmH0< % 




L A method tor pr<parkig user ainhentieatkm aod/br 
first oetwork resource for ,s ^ 1 i 



- m address pari pointing to 



eompnsmg in 



I to claim j 5 



3, A method accordmg to ckk .1 or 2, whereia the parameter part of the d 



15 ~ a step of ir 

kcludes at least part of the h 



i to claim 3, i 



a step ofkpot 

kekdesat least part of the xnfcnration subpart, asd 
digitally sigciag the thus formed hash to form a d%M m f 



25 6, As 



to the digital t 



s the serial number of fee certificate ssed i 



produslag ih< < . A *j is Included m fte date input into 0* hash 

algorithm. 



7. A ihas 4 to 6 wh r - 

includes a d * Nereis d 

5 time is included m the data that is iajmt kto a hash algorithm. 



8, A 



4 me Is a rime 



!0 dynamic string includes the user same aodtor fee » ID of the authentic 



10 A method teeon h ryot » hi mm the » 



i 1 , A me S»g to claim 2, wbctek the c 



e has a private key 



i < id fee stop of par 



orithmwtoa 
- & step of piacfeg the digital 



feto the pwameter part of the <j 



25 13. A 



i h wtek the step of 



preparing an, information parameter part including the time stamp and 
parameters relatiag to a service at the second network resource and/or the user, 

obtaimnga ,^k> * y the &* mtwwu&mtto^MHma, 



«asg ths address part, the i 
a hash algorithm to Sum a hash, and 



« part and the sect* key 
rpsrt and the hash to te 



• - Ardc string. 
K, a method according to claim I, i 



preparing sin address pan pointing to toe second network resource, 

prsparajg an infonastion parameter p&rt mdudisg ihs time stamp, t 
f of the s- tsi -'kate.of the ffcst network tsscsaree* pa 

network resource am 



to form ah 



signing (fee hash with the digital si| 
who v ri ^ded in i 

- d «n a : 



• part and the digital 



15. A method for accepting, at a <eceoJ network resource, a us<?r sumeatieatioo aad/or 
aathork&i ; si tod comprising: 

,m i i i i ii ,od by tnc fLnt network 

rfo>oures &ad , < ossd m m tins mm 

authenticate and/or autfcoraste performed at the first network resource, 



14 A merho - i to claim 15,. wherein the received Morm&te oa the user 
autheatetioa aad/ot autfeorkstioa includes a hash, aod wherein the step of ustsg a 
orv'ptograpMe method to verify the received user s 



iordylfthe 



s received dynanuc striag 
e> - usia; a 



: feast part of the b 



wherem said data ioeludes 
code unkoowo to a third 
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j, sad vtam the step of 



a crypto® ve, user ; 



19. A method according to ci 
relafeg to the digha; signet 



• * ^ u ^ received dywmia string Includes data 
, such as the serial number of the certSSe&ie osed Ik 
and the step of using a **yj u $ bu hod to verify 



- a step of eh c y of the 
ssgmag party with fee aid of die data relating to fee cli| - t s goat i « 

20. A method accenting to any of claims 15 to 19, whetom 
includes data indicating a point of time, and farther comprising: 

- cheeking the point of time against: a security criterion, and 




~ a step of drying the user a 
.has expired. 

22 . A method according to any of claims 15 to 20, 
includes the user name and/or the vam ID of the m 



2 * A - d ag to any of claims 15 to 21 1 wherein 

25 indudes parameters relating to a service at fee second set^wfc 

24. A method according to claim 15, whersm the step of using a cryptographic 
to verify the received oxer authentication and/or *u-Wnrrdo:: ioioso-adoo 
secret key re t wwk resource 
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- ctoekfog the time stamp, 



» checking ft© validity of fee obtain digital signature %vifc the aid of saM 
in htm Hon parameter pari * d 

- denying fee user authasucaik a aad/oi aisthorisafioa if the digital signature, is 
not valid or if the time stamp has expired, 

27. A method nccnnfetg to claim 26, further comprising fee steps of; 

checking the validity of the digital certificate with the aid oftbe serial number 




basis of the recei ved 
second network server. 



30. A nivfeoa iccording t; s steps of 

- obtaining, from fee HTTP Server, fee IF address of 



8oC& ix t , t \ , a 

31. A method according to any of date 15 to 30, whcteia the accepted user 
uul sotte iim ad/os antk teatioa relates to the first network resource^ or as entity 
within the ilm network resource, sod authenticates and/or authorizes s 
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32, A roetbo urns IS to 30 ; whes - k ccepted user 

the secon i netvvot s source, 

33. A 



- a step of m 



aut&onza ii-st network iv^wrce to a second aetwork r 

part of s dynamic string poiaiiag to the second network resource. 



k itnatunj verifying the user 
atad/cw su&a&attaa includes a time stamp given to the user 



gtoanyofoiaims33to35,w 



36. A a 



second; ? » knuVrd party. 

37, A method according to any of claims 33 to 36, wh< 
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FIG. 3 



Get and c 

parameters 



r£cen.aBie+userid^secretkey 



HASH the sirmg with 
MD5s 



I 1567890+*********)^ 

3C9F471D 



Generate the URL 




\ 






Attach URL to fee WEB/WAP 
Service link 







hflp:// o s asp' 

timestamp-3 1 1219991030& 
mm<xHhs*s& aserkM 23456? 890 toe-ssage- 
3C#F471D46838A4Ba *g.BA F< 



FIG* S 



USERNAME 


IMESIAM? 


Am 


USED 


s:-"t:\':v 






3112199.91030 




1234567890 


***** >>\ 



Message VIDJiiisemaiticiiniesfaoip wkenameniserid 1 ^ eikeyl 



\ 1 * MD5(miniot 31 12 199910 shoestf234$67B9 *»♦******)= sob ^M4BC!7€i«BA^ 



to 'lo ilteste sp' remain lassira Mb m ip 1 12 9991030$ 
sai «M send i2345«?8904messag 3C9F471D46838A4BCS IE53DB48BA9FC 
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Get and c 



Genera j 

signature iismg the 
certificate's Private Key 



■3 1 12 1999 1030 -t 
12345AA456BF755890) « 



< es ite rlw URL 



1 



Mlp://Iocalhost / sfeoes.asp?asemamt^ 
31I21999I030& 



l2345AA456D.F?S5890&sigiMtilie- 



Attach 10 a 0>0- w u> 
Service link 



FIG, 8 



USERNAM1 


TIMBTAM? 


SERVICENAME 








311219991030 







V local! i il i asp?u& ini -i wtoestamp n 11^ 1 $ 
servia teteumbep!2345AA4 DF755890&signatore «545hm53J45s mimm 
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